CVE-2014-9253

Name of the Vulnerable Software and Affected Versions DokuWiki versions prior to 2014-09-29b

Description The issue allows remote attackers to execute arbitrary web script or HTML by uploading an SWF file and then accessing it via the "media" parameter to "lib/exe/fetch.php". This is due to the default file type whitelist configuration in conf/mime.conf in the Media Manager.

Recommendations For versions prior to 2014-09-29b, update to a version released after 2014-09-29b to resolve the issue. As a temporary workaround, consider restricting access to the "lib/exe/fetch.php" endpoint or disabling the Media Manager's ability to upload SWF files until a patch is available.